MedBytes

To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Credit card orders can also be placed by calling the order desk at 202-512-1800 or by faxing to 202-512-2250. The cost for each copy is $10. As an alternative, you can view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries, and at many other public and academic libraries throughout the country that receive the Federal Register. This Federal Register document is also available from the Federal Register online database through GPO access, a service of the U.S. Government Printing Office. The Web-site is http://www.access.gpo.gov/nara/index.html

The Department of Health and Human Services (HHS) Medicare Program, other Federal agencies operating health plans or providing health care, State Medicaid agencies, private health plans, health care providers, and health care clearinghouses must assure their customers (for example, patients, insured individuals, providers, and health plans) that the integrity, confidentiality, and availability of electronic protected health information they collect, maintain, use, or transmit is protected.

The confidentiality of health information is threatened not only by the risk of improper access to stored information, but also by the risk of interception during electronic transmission of the information. The purpose of this final rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. Currently, no standard measures exist in the health care industry that address all aspects of the security of electronic health information while it is being stored or during the exchange of that information between entities.

This final rule adopts standards as required under title II, subtitle F, sections 261 through 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191. These standards require measures to be taken to secure this information while in the custody of entities covered by HIPAA (covered entities) as well as in transit between covered entities and from covered entities to others.

Congress included provisions to address the need for safeguarding electronic health information and other administrative simplification issues in HIPAA. In subtitle F of title II of that law, Congress added to title XI of the Social Security Act a new part C, titled “Administrative Simplification”' (hereafter, we refer to the Social Security Act as “the Act'”; we refer to the other laws cited in this document by their names). The purpose of subtitle F is to improve the Medicare program under title XVIII of the Act, the Medicaid program under title XIX of the Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements to enable the electronic exchange of certain health information.

Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose requirements on HHS, health plans, health care clearinghouses, and certain health care providers. These statutory sections are discussed in the Transactions Rule, at 65 FR 50312, on pages 50312 through 50313, and in the final rules adopting Standards for Privacy of Individually Identifiable Health Information, published on December 28, 2000 at 65 FR 82462 (Privacy Rules), on pages 82470 through 82471, and on August 14, 2002 at 67 FR 53182. The reader is referred to those discussions.

Section 1173(d) of the Act requires the Secretary of HHS to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, the need to train persons who have access to health information, the value of audit trails in computerized record systems, and the needs and capabilities of small health care providers and rural health care providers. Section 1173(d) of the Act also requires that the standards ensure that a health care clearinghouse, if part of a larger organization, has policies and security procedures that isolate the activities of the clearinghouse with respect to processing information so as to prevent unauthorized access to health information by the larger organization. Section 1173(d) of the Act provides that covered entities that maintain or transmit health information are required to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information. These safeguards must also otherwise ensure compliance with the statute by the officers and employees of the covered entities.HHS originally proposed to add part 142, titled “Administrative Requirements,” to title 45 of the Code of Federal Regulations (CFR). It has now been determined that this material will reside in subchapter C of title 45, consisting of parts 160, 162, and 164. Subpart A of part 160 contains the general provisions applicable to all the Administrative Simplification rules; other subparts of part 160 will contain other requirements applicable to all standards. Part 162 contains the standards for transactions and code sets and will contain the identifier standards. Part 164 contains the standards relating to privacy and security. Subpart A of part 164 contains general provisions applicable to part 164; subpart E contains the privacy standards. Subpart C of part 164, which is adopted in this final rule, adopts standards for the security of electronic protected health information procedures.

Find the new HIPAA regulations at http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/03-3877.htm. These new regs were published in the Federal Register, February 20, 2003 in volume 68, number 34 as Rules and Regulations, Pages 8333-8381. Access this information, also from the Federal Register Online via GPO Access www.wais.access.gpo.gov.

HIPAA Cheat Sheet

What should health care providers do differently now that the HIPAA privacy rule has taken effect? Here's a quick cheat sheet to help you make sure that HIPAA has been implemented in the health care facility in question:

• Post Notice of Privacy Practices in a clear, prominent location.
• Give patients copies of your Notice of Privacy Practices … and make good-faith efforts to obtain written evidence of their receipt of them.
• Avoid verbal discussions of protected health information (PHI) on the phone or in reception/waiting areas that are within earshot of people who do not have a need to know.
• Do not leave PHI on telephone answering machines.
• Do not include PHI in announcements made in your waiting rooms.
• Try to get some sense of whether your patients want you discussing their PHI with their family and friends, and restrict info if not.
• Limit (or to the extent possible eliminate) patient information on whiteboards, X-ray boxes, computer screens and other areas that may be visible to the public and those who do not need access to PHI.
• Follow safeguards for PHI that is transmitted by fax or e-mail (or prohibit these activities until prudent safeguards can be put in place).
• File away promptly (and lock at night) folders that contain patient medical records.
• Make sure that computer/network security measures are in place (eg, that screensavers kick in quickly, passwords are not taped to the monitor, machines are turned off at night, and access from off site is carefully restricted).
• Make sure the physical plant is locked down at night, with windows closed and doors locked.
• Remove signage that would help an ill-intentioned person find PHI (eg, a sign on the patient's records department that reads “Confidential Patient Information”).
• Remind people that only the “minimum necessary” PHI should be disclosed to anyone.
• Make sure all work-force members who leave your employment turn in their keys and building cards and lose their network access.
• Make sure written authorizations to use and disclose PHI are received except for treatment, payment, operations and exceptions permitted in sec.164.510-512.
• Make sure new and existing employees are aware of your schedule for ongoing HIPAA privacy training.
• Whatever records you decide to keep to manage (and as evidence of) your privacy compliance, they should have begun April 14.
• Make sure everyone is aware of the rights patients have to review and to get copies of their records, and what procedures will be followed.
• Make sure everyone knows who patients should speak with if they have questions about their HIPAA privacy rights.
• Be sure everyone in your work force knows who your privacy officer is and who they should contact with patient privacy questions or problems, or if someone has a complaint or wants to report a violation of your organization's privacy policies.

HIPAA represents the government's broad attempt to safeguard medical records in the electronic era. HIPAA standards arose through the Department of Health and Human Services, Office of the Secretary, at 45 CFR Parts 160, 162, and 164 as part of Health Insurance Reform: Security Standards, through the Centers for Medicare & Medicaid Services (CMS), HHS. This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers.

The use of the security standards will improve Medicare, Medicaid and other federal health programs, private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. This final rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The effective date was April 21, 2003. Covered entities, with the exception of small health plans, must comply with the requirements of this final rule by April 21, 2005. Small health plans must comply by April 21, 2006.

To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Credit card orders can also be placed by calling the order desk at 202-512-1800 or by faxing to 202-512-2250. The cost for each copy is $10. As an alternative, you can view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries, and at many other public and academic libraries throughout the country that receive the Federal Register. This Federal Register document is also available from the Federal Register online database through GPO access, a service of the U.S. Government Printing Office. The Web-site is http://www.access.gpo.gov/nara/index.html

The Department of Health and Human Services (HHS) Medicare Program, other Federal agencies operating health plans or providing health care, State Medicaid agencies, private health plans, health care providers, and health care clearinghouses must assure their customers (for example, patients, insured individuals, providers, and health plans) that the integrity, confidentiality, and availability of electronic protected health information they collect, maintain, use, or transmit is protected.

The confidentiality of health information is threatened not only by the risk of improper access to stored information, but also by the risk of interception during electronic transmission of the information. The purpose of this final rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. Currently, no standard measures exist in the health care industry that address all aspects of the security of electronic health information while it is being stored or during the exchange of that information between entities.

This final rule adopts standards as required under title II, subtitle F, sections 261 through 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191. These standards require measures to be taken to secure this information while in the custody of entities covered by HIPAA (covered entities) as well as in transit between covered entities and from covered entities to others.

Congress included provisions to address the need for safeguarding electronic health information and other administrative simplification issues in HIPAA. In subtitle F of title II of that law, Congress added to title XI of the Social Security Act a new part C, titled “Administrative Simplification”' (hereafter, we refer to the Social Security Act as “the Act'”; we refer to the other laws cited in this document by their names). The purpose of subtitle F is to improve the Medicare program under title XVIII of the Act, the Medicaid program under title XIX of the Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements to enable the electronic exchange of certain health information.

Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose requirements on HHS, health plans, health care clearinghouses, and certain health care providers. These statutory sections are discussed in the Transactions Rule, at 65 FR 50312, on pages 50312 through 50313, and in the final rules adopting Standards for Privacy of Individually Identifiable Health Information, published on December 28, 2000 at 65 FR 82462 (Privacy Rules), on pages 82470 through 82471, and on August 14, 2002 at 67 FR 53182. The reader is referred to those discussions.

Section 1173(d) of the Act requires the Secretary of HHS to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, the need to train persons who have access to health information, the value of audit trails in computerized record systems, and the needs and capabilities of small health care providers and rural health care providers. Section 1173(d) of the Act also requires that the standards ensure that a health care clearinghouse, if part of a larger organization, has policies and security procedures that isolate the activities of the clearinghouse with respect to processing information so as to prevent unauthorized access to health information by the larger organization. Section 1173(d) of the Act provides that covered entities that maintain or transmit health information are required to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information. These safeguards must also otherwise ensure compliance with the statute by the officers and employees of the covered entities.HHS originally proposed to add part 142, titled “Administrative Requirements,” to title 45 of the Code of Federal Regulations (CFR). It has now been determined that this material will reside in subchapter C of title 45, consisting of parts 160, 162, and 164. Subpart A of part 160 contains the general provisions applicable to all the Administrative Simplification rules; other subparts of part 160 will contain other requirements applicable to all standards. Part 162 contains the standards for transactions and code sets and will contain the identifier standards. Part 164 contains the standards relating to privacy and security. Subpart A of part 164 contains general provisions applicable to part 164; subpart E contains the privacy standards. Subpart C of part 164, which is adopted in this final rule, adopts standards for the security of electronic protected health information procedures.

Find the new HIPAA regulations at http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/03-3877.htm. These new regs were published in the Federal Register, February 20, 2003 in volume 68, number 34 as Rules and Regulations, Pages 8333-8381. Access this information, also from the Federal Register Online via GPO Access www.wais.access.gpo.gov.

HIPAA Cheat Sheet

What should health care providers do differently now that the HIPAA privacy rule has taken effect? Here's a quick cheat sheet to help you make sure that HIPAA has been implemented in the health care facility in question:

• Post Notice of Privacy Practices in a clear, prominent location.
• Give patients copies of your Notice of Privacy Practices … and make good-faith efforts to obtain written evidence of their receipt of them.
• Avoid verbal discussions of protected health information (PHI) on the phone or in reception/waiting areas that are within earshot of people who do not have a need to know.
• Do not leave PHI on telephone answering machines.
• Do not include PHI in announcements made in your waiting rooms.
• Try to get some sense of whether your patients want you discussing their PHI with their family and friends, and restrict info if not.
• Limit (or to the extent possible eliminate) patient information on whiteboards, X-ray boxes, computer screens and other areas that may be visible to the public and those who do not need access to PHI.
• Follow safeguards for PHI that is transmitted by fax or e-mail (or prohibit these activities until prudent safeguards can be put in place).
• File away promptly (and lock at night) folders that contain patient medical records.
• Make sure that computer/network security measures are in place (eg, that screensavers kick in quickly, passwords are not taped to the monitor, machines are turned off at night, and access from off site is carefully restricted).
• Make sure the physical plant is locked down at night, with windows closed and doors locked.
• Remove signage that would help an ill-intentioned person find PHI (eg, a sign on the patient's records department that reads “Confidential Patient Information”).
• Remind people that only the “minimum necessary” PHI should be disclosed to anyone.
• Make sure all work-force members who leave your employment turn in their keys and building cards and lose their network access.
• Make sure written authorizations to use and disclose PHI are received except for treatment, payment, operations and exceptions permitted in sec.164.510-512.
• Make sure new and existing employees are aware of your schedule for ongoing HIPAA privacy training.
• Whatever records you decide to keep to manage (and as evidence of) your privacy compliance, they should have begun April 14.
• Make sure everyone is aware of the rights patients have to review and to get copies of their records, and what procedures will be followed.
• Make sure everyone knows who patients should speak with if they have questions about their HIPAA privacy rights.
• Be sure everyone in your work force knows who your privacy officer is and who they should contact with patient privacy questions or problems, or if someone has a complaint or wants to report a violation of your organization's privacy policies.